IRS Exposes SSNs in Database of Public Tax Filings

The Social Security Numbers of tens of thousands of Americans ended up in a searchable public database that provides access to the tax filing applications of Section 527 political organizations on the Internal Revenue Service’s website.

According to OpenSecrets.org, 527s are “…tax-exempt group[s] organized under section 527 of the Internal Revenue Code to raise money for political activities including voter mobilization efforts, issue advocacy and the like.”

The public information dissemination nonprofit, Public.Resource.Org, wrote a letter to the IRS [PDF] earlier this month requesting that the government’s tax collector temporarily remove the forms from their website in order to properly redact the highly sensitive information.

In a phone interview, Carl Malamud, the founder of Public.Resource.Org, told Threatpost that the IRS exposed tens of thousands of Social Security Numbers at the least, and may have in fact exposed more than 100,000.

The IRS has since taken the forms offline, but finds itself in something of a catch-22.

“When we were alerted last week that a substantial number of Social Security numbers were posted on IRS.gov in forms filed by section 527 political organizations, the IRS decided out of an abundance of caution to temporarily remove public web access to the records,” the agency said in a statement.

“The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 organizations,” the statement goes on. “The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including Social Security numbers, in their public filings.”

8871, 8872, and 990 forms are all documents that an organization must complete in order to apply for Section 527 tax-exempt status.

As Malamud clarified, none of these forms explicitly or directly ask for Social Security Numbers. However, sometimes applicants attach to these forms other tax documents, such as their SS-4, that do ask for Social Security Numbers. The SS-4 is an application form through which individuals may request an employee identification number (EIN). The IRS does require that applicants provide their EIN in order to achieve 527 status, but they are not required to attach the SS-4 form. Only the number itself is necessary. Malamud claimed that applicants attach such documents in an attempt to more concretely prove the legitimacy and accuracy of the information they are providing as part of their 527 filings, despite the fact that there is no need to do so and, furthermore, the IRS urges applicants not to do so.

“While the public posting of this database serves a vital public purpose (and this database must be restored as quickly as possible) the failure to remove individual Social Security Numbers is an extraordinarily reckless act,” Malamud wrote in a statement.

It is not clear why applicants feel the need to attach private documents along with public filings, but it is clear, according to Malamud, that the IRS is not doing enough to protect the privacy of filers.

“I think we can all agree that it is not proper for the United States government to be disclosing such information on your website as such practices are prohibited under the Privacy Act of 1974 and the E-Government Act of 2002,” Malamud wrote in a letter to the IRS and Treasury Department.

There is no doubt that this is a touchy situation for the IRS, which is required by law to publish such documents without removing or altering any information, as noted on the tax agency’s website:

“Because the IRS is required to disclose approved exemption applications and information returns, exempt organizations should not include Social Security numbers on these forms. By law, with limited exceptions, the IRS has no authority to remove that information before making the forms publicly available. Documents subject to disclosure include attachments ﬁled with the form and correspondence with the IRS about the ﬁling.”

Malamud, though, suggests that the IRS either bounce public filings back to applicants when they include sensitive information or that they develop some algorithmic means of scanning these documents for Social Security Numbers and redacting them when necessary.

About Brian Donohue

“We are what we pretend to be, so we must be careful about what we pretend to be.” ― Kurt Vonnegut

I’m not sure this is actually a case of ineptness this time, as they did exactly as specified. This is more of a logic fault with the law. If the law says post without altering, then why would we expect the underpaid drudgeon scanning these in to break the law and alter them? Most of us in that position would probably chuckle to ourselves, think “Sucks to be you filer,” and get on with our job. Let this be a lesson to our lawmakers in careful wording.

The United States Government Accountability Office (GAO) believes that “serious weaknesses remain” in the ways that the Internal Revenue Service handles its internal network, problems that could directly implicate taxpayer data according to a report the regulatory group released on Friday.

Information security failings are making it impossible for the U.S. Internal Revenue Service (IRS) to get its financial house in order and could be putting taxpayers’ sensitive information at risk, according to a financial audit of the agency by the Government Accountability Office (GAO).

In the second quarter of 2015 Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources. There were 5,903,377 registered notifications about attempte...

Innovative technologies are conquering the financial market, opening up new opportunities for startups. The volume of investment in projects for the banking sector is constantly growing, as is its pot...